A better way to think about passwords

Nicholas Cole nicholas.cole at gmail.com
Fri Apr 22 16:04:33 CEST 2011


On Thu, Apr 21, 2011 at 1:38 PM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
>> In short: don't force a particular strategy on your users.  Much
>> better to explain to users the general problem, and then leave it up
>> to them to pick a password.
>
> Historically speaking, this has shown not to work.  I'll try to dig up the HCI references if people really want, but the gist of it is people don't want to have to learn and understand: they just want to get their work done.  The instant you make compliance voluntary and education-based, the vast majority of users say "meh" and choose "password" as their login credential.
>
> The belief that security problems can be solved by educating users is a common one: it is also a deluded one.  It handwaves the very serious problem of most users not wanting to be educated and being actively hostile to it.  "Why do I have to learn all this propellerheaded geek stuff?  I just want to get my work done!"

You know, I worded the above poorly, and for that I have only myself
to blame for the fact that you jumped on the obvious objection to a
complete free-for-all.

It probably is wise to have some sort of control in place to prevent
very stupid passwords.  Even in 1997 my university had a system in
place that prevented the use of dictionary-words (including Latin and
- IIRC - Greek words) or passwords that were merely dictionary words
with a number added at the end.

What I meant was rather this: there are several strategies that
produce good passwords.  Teaching them requires (at some employers) a
30 minute course or the reading of a web page.  However, forcing any
*particular* strategy onto users will dramatically reduce the time it
takes to guess a password, since knowing the strategy reduces the
number of possibilities dramatically.

I thought we were talking about this particular proposal (the "use
three dictionary words" one) and my point was that if everyone were to
use this its security would be dramatically reduced.  However, as one
of several strategies available to those selecting passwords, it
probably isn't a bad one in and of itself.

Nicholas



More information about the Gnupg-users mailing list